JSecurity Release Notes

Added by Peter Ledbrook, last edited by Peter Ledbrook on May 14, 2008  (view change)

Version 0.2.1

  • Upgraded to JSecurity 0.9.0 beta 2 - fixes a bug with the "remember me" cookie.
  • The login page now saves the query part of the target URI.
  • Commons Codec has been removed - the classes included with JSecurity should be used instead, such as Sha256Hash.
  • A new configuration option has been added: jsecurity.filter.config. You can set this to a string containing a standard JSecurity "ini" format configuration - this allows you to use the native JSecurity interceptors for particular URLs. In fact, the JSecurity interceptors can be used in combination with the plugin's filter mechanism if you wish. Details of the configuration format can be found in the javadoc for JSecurityFilter.

Version 0.2

Notes on upgrading

When upgrading a project that uses the 0.1.x version of the plugin, the access control will not initially work. It is recommended that you move to the new filter-based mechanism as soon as possible, but you can still use the old controller-based access control definitions by setting this option in Config:

jsecurity.legacy.filter.enabled = true

Even if you set this option, your controllers no longer need to extend JsecAuthBase (and in fact they should not do so).

Second, if you use the standard DB realm, you will have to recreate it because of a breaking change in the authentication code. In addition, if you use {{CredentialsMatcher}}s in your own realm, you will need to make changes because the corresponding API has changed.

  • AuthController and its views must now be installed via a script - this makes overriding it easier.
  • Access control can now be declared in Grails filters: 
    class SecurityFilters {
  def filters = {
    security(controller: '*', action: '*') {
      before = {
        accessControl {
          role('Administrator') || role('Super User')
        }
      }
    }
  }
}
  • Customise the prefix of the DB realm classes by passing a --prefix=... option to the script (only available with Grails 1.0.3+).
  • Customise the interceptor behaviour by implementing onNotAuthenticated() and onUnauthorized() methods in your filters class. Default behaviour remains as before (redirect to login page for an unauthenticated user, redirect to unauthorized page for unauthorized access).
  • Remember me support added. Both the provided login page and auth controller include the option by default.
  • New <jsec:principal/> tag for writing the principal, e.g. the username, to a page.
  • Failed login message is now internationalized - a default message for code login.failed is installed in a jsecurity.properties file.
  • Basic LDAP realm provided.
  • You can now include standard JSecurity realms by simply defining them in resources.xml or resources.groovy. All beans that implement the Realm interface will be added to the security manager and will be used for authentication and authorization.
  • Specify the authentication strategy to use when you have more than one realm: either "all must succeed" or "at least one must succeed". The default is the former, "all must succeed". To override, add this to your Config: 
    jsecurity.authentication.strategy = new org.jsecurity.authc.pam.AtLeastOneSuccessfulModularAuthenticationStrategy()
  • Override the default session type ('http') with the jsecurity.session.mode configuration setting. This can take the values 'http' or 'jsecurity'. The latter allows you to implement single-sign-on.
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.